![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/IllumioLogo.svg\")
\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/IllumioSaaS/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[IllumioSaaS](https://www.illumio.com/) solution provides ability to ingest auditable and flow events from AWS S3 bucket.\n\n**Data Connectors:** 1, **Workbooks:** 3, **Analytic Rules:** 6\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "| Created Time | \nTitle | \nSeverity | \nDescription | \n
|---|---|---|---|
| @{item()?['public_ip']} | \n@{item()?['hostname']} | \n@{item()?['labels']} | \n
In the following, is more information, about the new Azure Sentinel alert:
@{variables('varHTMLTable')}
And VEN details pertaining to entities are
@{variables('EntityTable')}
Illumio
", + "Importance": "Normal" + }, + "path": "/v2/Mail" + } + } + }, + "runAfter": { + "Append_to_string_variable_3": [ + "Succeeded" + ] + } + }, + "Initialize_variable_3": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "EntityTable", + "type": "string", + "value": "| IP Address | \nHostname | \nLabels | \n
|---|
![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/IllumioSaaS/Playbooks/Illumio-Get-Ven-Details/Images/illumio-get-ven-details-playbook.png\"/)
.",
+ "prerequisites": [
+ "To use this playbook, ensure that you have valid API key and secret, org id and pce fqdn. Ensure that you deploy the template with the required context."
+ ],
+ "postDeployment": [
+ "After deployment open the playbook in edit mode and configure/authorize all connections and press save. "
+ ],
+ "lastUpdateTime": "2024-11-21T00:00:00Z",
+ "entities": [
+ "ip",
+ "host"
+ ],
+ "tags": [
+ "Enrichment"
+ ],
+ "releaseNotes": [
+ {
+ "version": "1.0",
+ "title": "Illumio Get Ven Details",
+ "notes": [
+ "Initial version"
+ ]
+ }
+ ]
+ }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId2')]",
+ "contentKind": "Playbook",
+ "displayName": "Illumio-Ven-Details",
+ "contentProductId": "[variables('_playbookcontentProductId2')]",
+ "id": "[variables('_playbookcontentProductId2')]",
+ "version": "[variables('playbookVersion2')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('playbookTemplateSpecName3')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "Illumio-Port-Blocking-Switch Playbook with template version 3.2.3",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('playbookVersion3')]",
+ "parameters": {
+ "PlaybookName": {
+ "defaultValue": "Illumio-Port-Blocking-Switch",
+ "type": "String",
+ "metadata": {
+ "description": "PlayBook Name"
+ }
+ },
+ "FunctionAppName": {
+ "defaultValue": "illumiopbfuncapp",
+ "type": "String",
+ "metadata": {
+ "description": "Function app Name"
+ }
+ }
+ },
+ "variables": {
+ "hostingPlanName": "[[parameters('FunctionAppName')]",
+ "storageAccountName": "[[parameters('FunctionAppName')]",
+ "functionAppName": "[[parameters('FunctionAppName')]",
+ "applicationInsightsName": "[[parameters('FunctionAppName')]",
+ "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
+ "workspace-name": "[parameters('workspace')]",
+ "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Logic/workflows",
+ "apiVersion": "2017-07-01",
+ "name": "[[parameters('PlaybookName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "properties": {
+ "state": "Enabled",
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "$connections": {
+ "type": "Object"
+ }
+ },
+ "triggers": {
+ "When_a_HTTP_request_is_received": {
+ "type": "Request",
+ "kind": "Http",
+ "inputs": {
+ "method": "POST",
+ "schema": {
+ "type": "object",
+ "properties": {
+ "protocol": {
+ "type": "integer"
+ },
+ "port": {
+ "type": "integer"
+ }
+ }
+ }
+ }
+ }
+ },
+ "actions": {
+ "PortBlockingFunction-runTrafficQuery": {
+ "type": "Function",
+ "inputs": {
+ "body": "@triggerBody()",
+ "function": {
+ "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/sites/',parameters('Functionappname'), '/functions/runTrafficQuery')]"
+ }
+ }
+ },
+ "PortBlockingFunction-fetchVisibilityOnlyWorkloadsFromTrafficResults": {
+ "runAfter": {
+ "PortBlockingFunction-runTrafficQuery": [
+ "Succeeded"
+ ]
+ },
+ "type": "Function",
+ "inputs": {
+ "body": "@body('PortBlockingFunction-runTrafficQuery')",
+ "function": {
+ "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/sites/',parameters('Functionappname'), '/functions/fetchVisibilityOnlyWorkloadsFromTrafficResults')]"
+ }
+ }
+ },
+ "PortBlockingFunction-createVirtualService": {
+ "runAfter": {
+ "PortBlockingFunction-fetchVisibilityOnlyWorkloadsFromTrafficResults": [
+ "Succeeded"
+ ]
+ },
+ "type": "Function",
+ "inputs": {
+ "body": "@body('PortBlockingFunction-fetchVisibilityOnlyWorkloadsFromTrafficResults')",
+ "function": {
+ "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/sites/',parameters('Functionappname'), '/functions/createVirtualService')]"
+ }
+ }
+ },
+ "PortBlockingFunction-bindWorkloadsToVirtualService": {
+ "runAfter": {
+ "PortBlockingFunction-createVirtualService": [
+ "Succeeded"
+ ]
+ },
+ "type": "Function",
+ "inputs": {
+ "body": "@body('PortBlockingFunction-createVirtualService')",
+ "function": {
+ "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/sites/',parameters('Functionappname'), '/functions/bindWorkloadsToVirtualService')]"
+ }
+ }
+ },
+ "PortBlockingFunction-createAllowRuleForVirtualService": {
+ "runAfter": {
+ "PortBlockingFunction-bindWorkloadsToVirtualService": [
+ "Succeeded"
+ ]
+ },
+ "type": "Function",
+ "inputs": {
+ "body": "@body('PortBlockingFunction-bindWorkloadsToVirtualService')",
+ "function": {
+ "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/sites/',parameters('Functionappname'), '/functions/createAllowRuleForVirtualService')]"
+ }
+ }
+ },
+ "PortBlockingFunction-changeWorkloadEnforcementState": {
+ "runAfter": {
+ "PortBlockingFunction-fetchVisibilityOnlyWorkloadsFromTrafficResults": [
+ "Succeeded"
+ ]
+ },
+ "type": "Function",
+ "inputs": {
+ "body": "@body('PortBlockingFunction-fetchVisibilityOnlyWorkloadsFromTrafficResults')",
+ "function": {
+ "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/sites/',parameters('Functionappname'), '/functions/changeWorkloadEnforcementState')]"
+ }
+ }
+ },
+ "PortBlockingFunction-createDenyRule": {
+ "runAfter": {
+ "PortBlockingFunction-fetchVisibilityOnlyWorkloadsFromTrafficResults": [
+ "Succeeded"
+ ]
+ },
+ "type": "Function",
+ "inputs": {
+ "body": "@body('PortBlockingFunction-fetchVisibilityOnlyWorkloadsFromTrafficResults')",
+ "function": {
+ "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/sites/',parameters('Functionappname'), '/functions/createDenyRule')]"
+ }
+ }
+ }
+ }
+ }
+ },
+ "tags": {
+ "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId3'),'/'))))]",
+ "properties": {
+ "parentId": "[variables('playbookId3')]",
+ "contentId": "[variables('_playbookContentId3')]",
+ "kind": "Playbook",
+ "version": "[variables('playbookVersion3')]",
+ "source": {
+ "kind": "Solution",
+ "name": "IllumioSaaS",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "app-integrations@illumio.com"
+ },
+ "support": {
+ "name": "Illumio",
+ "email": "app-integrations@illumio.com",
+ "tier": "Partner",
+ "link": "https://www.illumio.com/support/support"
+ },
+ "dependencies": {
+ "criteria": [
+ {
+ "kind": "AzureFunction",
+ "contentId": "[variables('_IllumioSaaS_FunctionAppConnector')]",
+ "version": "[variables('playbookVersion1')]"
+ }
+ ]
+ }
+ }
+ }
+ ],
+ "metadata": {
+ "title": "Illumio Containment Switch Playbook",
+ "description": "This playbook leverages Illumio workloads API to contain and isolate a workload based on user inputs. ![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/IllumioSaaS/Playbooks/Illumio-Port-Blocking-Switch/Images/illumio-port-blocking-switch-playbook.png\"/)
.",
+ "prerequisites": [
+ "To use this playbook, ensure that you have valid API key and secret, org id and pce fqdn. Ensure that you deploy the template with the required context."
+ ],
+ "postDeployment": [
+ "After deployment open the playbook in edit mode and configure/authorize all connections and press save. "
+ ],
+ "lastUpdateTime": "2024-11-21T00:00:00Z",
+ "tags": [
+ "Remediation"
+ ],
+ "releaseNotes": [
+ {
+ "version": "1.0",
+ "title": "Illumio Containment Switch",
+ "notes": [
+ "Initial version"
+ ]
+ }
+ ]
+ }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId3')]",
+ "contentKind": "Playbook",
+ "displayName": "Illumio-Port-Blocking-Switch",
+ "contentProductId": "[variables('_playbookcontentProductId3')]",
+ "id": "[variables('_playbookcontentProductId3')]",
+ "version": "[variables('playbookVersion3')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('playbookTemplateSpecName4')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "Illumio-Quarantine-Workload Playbook with template version 3.2.3",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('playbookVersion4')]",
+ "parameters": {
+ "PlaybookName": {
+ "defaultValue": "Illumio-Quarantine-Workload",
+ "type": "String",
+ "metadata": {
+ "description": "PlayBook Name"
+ }
+ },
+ "FunctionAppName": {
+ "defaultValue": "illumiopbfuncapp",
+ "type": "String",
+ "metadata": {
+ "description": "Function app Name"
+ }
+ }
+ },
+ "variables": {
+ "functionAppName": "[[parameters('FunctionAppName')]",
+ "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
+ "workspace-name": "[parameters('workspace')]",
+ "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Logic/workflows",
+ "apiVersion": "2017-07-01",
+ "name": "[[parameters('PlaybookName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "properties": {
+ "state": "Enabled",
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "$connections": {
+ "type": "Object"
+ }
+ },
+ "triggers": {
+ "When_a_HTTP_request_is_received": {
+ "type": "Request",
+ "kind": "Http",
+ "inputs": {
+ "method": "POST",
+ "schema": {
+ "type": "object",
+ "properties": {
+ "workloads": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
+ },
+ "labels": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ "actions": {
+ "QuarantineWorkloadFuncApp-quarantineWorkloadHTTPTrigger": {
+ "type": "Function",
+ "inputs": {
+ "body": "@triggerBody()",
+ "function": {
+ "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/sites/',parameters('Functionappname'), '/functions/quarantineWorkloadHTTPTrigger')]"
+ }
+ }
+ }
+ }
+ }
+ },
+ "tags": {
+ "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId4'),'/'))))]",
+ "properties": {
+ "parentId": "[variables('playbookId4')]",
+ "contentId": "[variables('_playbookContentId4')]",
+ "kind": "Playbook",
+ "version": "[variables('playbookVersion4')]",
+ "source": {
+ "kind": "Solution",
+ "name": "IllumioSaaS",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "app-integrations@illumio.com"
+ },
+ "support": {
+ "name": "Illumio",
+ "email": "app-integrations@illumio.com",
+ "tier": "Partner",
+ "link": "https://www.illumio.com/support/support"
+ },
+ "dependencies": {
+ "criteria": [
+ {
+ "kind": "AzureFunction",
+ "contentId": "[variables('_IllumioSaaS_FunctionAppConnector')]",
+ "version": "[variables('playbookVersion1')]"
+ }
+ ]
+ }
+ }
+ }
+ ],
+ "metadata": {
+ "title": "Illumio Workload Quarantine Playbook",
+ "description": "This playbook leverages Illumio workloads API to quarantine a workload based on user inputs. ![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/IllumioSaaS/Playbooks/Illumio-Quarantine-Workload/Images/illumio-quarantine-workload.png\"/)
.",
+ "prerequisites": [
+ "To use this playbook, ensure that you have valid API key and secret, org id and pce fqdn. Ensure that you deploy the template with the required context."
+ ],
+ "postDeployment": [
+ "After deployment open the playbook in edit mode and configure/authorize all connections and press save. "
+ ],
+ "lastUpdateTime": "2024-12-10T00:00:00Z",
+ "tags": [
+ "Remediation"
+ ],
+ "releaseNotes": [
+ {
+ "version": "1.0",
+ "title": "Illumio Quarantine Workload",
+ "notes": [
+ "Initial version"
+ ]
+ }
+ ]
+ }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId4')]",
+ "contentKind": "Playbook",
+ "displayName": "Illumio-Quarantine-Workload",
+ "contentProductId": "[variables('_playbookcontentProductId4')]",
+ "id": "[variables('_playbookcontentProductId4')]",
+ "version": "[variables('playbookVersion4')]"
+ }
+ },
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.2.2",
+ "version": "3.2.3",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "IllumioSaaS",
"publisherDisplayName": "Illumio",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nIllumioSaaS solution provides ability to ingest auditable and flow events from AWS S3 bucket.
\nData Connectors: 1, Workbooks: 3, Analytic Rules: 6
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nIllumioSaaS solution provides ability to ingest auditable and flow events from AWS S3 bucket.
\nData Connectors: 1, Workbooks: 3, Analytic Rules: 6, Function Apps: 1, Playbooks: 3
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -1526,6 +2654,26 @@ "kind": "AnalyticsRule", "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" + }, + { + "kind": "AzureFunction", + "contentId": "[variables('_IllumioSaaS_FunctionAppConnector')]", + "version": "[variables('playbookVersion1')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Illumio-Get-Ven-Details')]", + "version": "[variables('playbookVersion2')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Illumio-Port-Blocking-Switch')]", + "version": "[variables('playbookVersion3')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Illumio-Quarantine-Workload')]", + "version": "[variables('playbookVersion4')]" } ] }, diff --git a/Solutions/IllumioSaaS/Playbooks/Illumio-Port-Blocking-Switch/illumio-containment-switch.zip b/Solutions/IllumioSaaS/Playbooks/CustomConnector/IllumioSaaS_FunctionAppConnector/IllumioSaaS_FunctionAppForPlaybooks.zip similarity index 83% rename from Solutions/IllumioSaaS/Playbooks/Illumio-Port-Blocking-Switch/illumio-containment-switch.zip rename to Solutions/IllumioSaaS/Playbooks/CustomConnector/IllumioSaaS_FunctionAppConnector/IllumioSaaS_FunctionAppForPlaybooks.zip index 236e9adc689..6e6ab297770 100644 Binary files a/Solutions/IllumioSaaS/Playbooks/Illumio-Port-Blocking-Switch/illumio-containment-switch.zip and b/Solutions/IllumioSaaS/Playbooks/CustomConnector/IllumioSaaS_FunctionAppConnector/IllumioSaaS_FunctionAppForPlaybooks.zip differ diff --git a/Solutions/IllumioSaaS/Playbooks/CustomConnector/IllumioSaaS_FunctionAppConnector/azuredeploy.json b/Solutions/IllumioSaaS/Playbooks/CustomConnector/IllumioSaaS_FunctionAppConnector/azuredeploy.json new file mode 100644 index 00000000000..29f4b6f2c60 --- /dev/null +++ b/Solutions/IllumioSaaS/Playbooks/CustomConnector/IllumioSaaS_FunctionAppConnector/azuredeploy.json @@ -0,0 +1,186 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "FunctionAppName": { + "defaultValue": "illumiopbfuncapp", + "type": "String", + "metadata": { + "description": "Function app Name" + } + }, + "StorageAccountName": { + "type": "String", + "metadata": { + "description": "Storage name should be globally unique name" + } + }, + "PCE_FQDN": { + "type": "String", + "metadata": { + "description": "FQDN of PCE" + } + }, + "PORT": { + "type": "String", + "metadata": { + "description": "Port that PCE connects to, like 443" + } + }, + "ORG_ID": { + "type": "String", + "metadata": { + "description": "Customer's org id" + } + }, + "API_KEY": { + "type": "String", + "metadata": { + "description": "API key" + } + }, + "API_SECRET": { + "type": "String", + "metadata": { + "description": "API secret" + } + } + }, + "variables": { + "hostingPlanName": "[parameters('FunctionAppName')]", + "storageAccountName": "[parameters('StorageAccountName')]", + "functionAppName": "[parameters('FunctionAppName')]", + "applicationInsightsName": "[parameters('FunctionAppName')]", + "pceFQDN": "[parameters('PCE_FQDN')]", + "port": "[parameters('PORT')]", + "orgId": "[parameters('ORG_ID')]", + "apiKey": "[parameters('API_KEY')]", + "apiSecret": "[parameters('API_SECRET')]" + }, + "resources": [ + { + "type": "Microsoft.Web/serverfarms", + "apiVersion": "2022-03-01", + "name": "[variables('hostingPlanName')]", + "location": "[resourceGroup().location]", + "sku": { + "name": "Y1", + "tier": "Dynamic" + }, + "properties": { + "name": "[variables('hostingPlanName')]", + "computeMode": "Dynamic" + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2023-04-01", + "name": "[variables('storageAccountName')]", + "location": "[resourceGroup().location]", + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "kind": "StorageV2", + "properties": { + "accessTier": "Hot", + "minimumTlsVersion": "TLS1_2", + "supportsHttpsTrafficOnly": "true", + "allowBlobPublicAccess": "false", + "allowSharedKeyAccess": "true", + "networkAcls": { + "bypass": "AzureServices", + "defaultAction": "Allow", + "ipRules": [] + } + } + }, + { + "type": "Microsoft.Insights/components", + "apiVersion": "2020-02-02", + "name": "[variables('applicationInsightsName')]", + "location": "[resourceGroup().location]", + "tags": { + "[concat('hidden-link:', resourceId('Microsoft.Web/sites', variables('applicationInsightsName')))]": "Resource" + }, + "properties": { + "Application_Type": "web" + }, + "kind": "web" + }, + { + "type": "Microsoft.Web/sites", + "apiVersion": "2020-06-01", + "name": "[variables('functionAppName')]", + "location": "[resourceGroup().location]", + "kind": "functionapp,linux", + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]", + "[resourceId('Microsoft.Insights/components', variables('applicationInsightsName'))]" + ], + "properties": { + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]", + "siteConfig": { + "appSettings": [ + { + "name": "AzureWebJobsStorage", + "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';EndpointSuffix=', environment().suffixes.storage, ';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2023-04-01').keys[0].value)]" + }, + { + "name": "FUNCTIONS_EXTENSION_VERSION", + "value": "~4" + }, + { + "name": "FUNCTIONS_WORKER_RUNTIME", + "value": "node" + }, + { + "name": "WEBSITE_NODE_DEFAULT_VERSION", + "value": "~20" + }, + { + "name": "APPINSIGHTS_INSTRUMENTATIONKEY", + "value": "[reference(resourceId('microsoft.insights/components', variables('applicationInsightsName')), '2020-02-02').InstrumentationKey]" + }, + { + "name": "WEBSITE_RUN_FROM_PACKAGE", + "value": "https://raw.githubusercontent.com/illumio-shield/Azure-Sentinel/illumio-sentinel-playbook-v2/Solutions/IllumioSaaS/Playbooks/CustomConnector/IllumioSaaS_FunctionAppConnector/IllumioSaaS_FunctionAppForPlaybooks.zip" + }, + { + "name": "PCE_FQDN", + "value": "[variables('pceFQDN')]" + }, + { + "name": "PORT", + "value": "[variables('port')]" + }, + { + "name": "ORG_ID", + "value": "[variables('orgId')]" + }, + { + "name": "API_KEY", + "value": "[variables('apiKey')]" + }, + { + "name": "API_SECRET", + "value": "[variables('apiSecret')]" + } + ] + }, + "cors": { + "allowedOrigins": [ + "https://functions.azure.com", + "https://functions-staging.azure.com", + "https://functions-next.azure.com" + ], + "supportCredentials": false + } + } + } + ] +} \ No newline at end of file diff --git a/Solutions/IllumioSaaS/Playbooks/Illumio-Get-Ven-Details/README.md b/Solutions/IllumioSaaS/Playbooks/Illumio-Get-Ven-Details/README.md index e69de29bb2d..5679ebc0209 100644 --- a/Solutions/IllumioSaaS/Playbooks/Illumio-Get-Ven-Details/README.md +++ b/Solutions/IllumioSaaS/Playbooks/Illumio-Get-Ven-Details/README.md @@ -0,0 +1,31 @@ +# Microsoft Sentinel Playbooks for Illumio Integration + +Playbooks are collections of procedures that can be run from Microsoft Sentinel. + +--- + +## Get VEN Details Playbook + +This playbook can be configured to respond to Microsoft Sentinel alerts. + +1. Once an alert is triggered, its body is sent to a function app. +2. The function talks to the PCE with the help of api key/secret. +3. Once VEN details are fetched from PCE, then the playbook constructs a table with the relevant information. +4. Table comprises of, alert title, severity, ven details like ip address, hostname and labels and alert description. +5. This is sent out as an email. + +# To deploy, follow the below link +Deploy the function app first: +[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fillumio-shield%2FAzure-Sentinel%2Frefs%2Fheads%2Fillumio-sentinel-playbooks-v2%2FSolutions%2FIllumioSaaS%2FPlaybooks%2FCustomConnector%2FIllumioSaaS_FunctionAppConnector%2Fazuredeploy.json) + +Deploy logic app next: +[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Frefs%2Fheads%2Fmaster%2FSolutions%2FIllumioSaaS%2FPlaybooks%2FIllumio-Get-Ven-Details%2Fazuredeploy.json) + + +This playbook creates API connections, since it needs to query/interact with Outlook 365 and Microsoft Sentinel. + +Hence, ensure to provide "Deployers User name" as an email address. + +Provide PCE fqdn, port, org id, api key and secret, click Next and follow next steps to deploy playbook. + +Once deployed, authorize the api connections. \ No newline at end of file diff --git a/Solutions/IllumioSaaS/Playbooks/Illumio-Get-Ven-Details/azuredeploy.json b/Solutions/IllumioSaaS/Playbooks/Illumio-Get-Ven-Details/azuredeploy.json index c28be9c2538..a07ddfc2d56 100644 --- a/Solutions/IllumioSaaS/Playbooks/Illumio-Get-Ven-Details/azuredeploy.json +++ b/Solutions/IllumioSaaS/Playbooks/Illumio-Get-Ven-Details/azuredeploy.json @@ -3,18 +3,18 @@ "contentVersion": "1.0.0.0", "metadata": { "title": "Illumio Get Ven Details Playbook", - "description": "This playbook leverages Illumio workloads API to enrich IP, Hostname and Labels, found in Microsoft Sentinel alerts.![](\"https://raw.githubusercontent.com/illumio-shield/Azure-Sentinel/illumio-sentinel-playbook/Solutions/IllumioSaaS/Playbooks/Illumio-Get-Ven-Details/images/illumio-get-ven-details-playbook.png\"/)
.",
+ "description": "This playbook leverages Illumio workloads API to enrich IP, Hostname and Labels, found in Microsoft Sentinel alerts. .",
"prerequisites": [
"To use this playbook, ensure that you have valid API key and secret, org id and pce fqdn. Ensure that you deploy the template with the required context."
],
"postDeployment": [
- "After deployment open the playbook in edit mode and configure/authorize all connections and press save. "
+ "After deployment open the playbook in edit mode and configure/authorize all connections and press save. "
],
"prerequisitesDeployTemplateFile": "",
"lastUpdateTime": "2024-11-21T00:00:00.000Z",
"entities": [
"ip",
- "host"
+ "host"
],
"tags": [ "Enrichment" ],
"support": {
@@ -30,7 +30,7 @@
"notes": [ "Initial version" ]
}
]
- },
+ },
"parameters": {
"PlaybookName": {
"defaultValue": "Illumio-Ven-Details",
@@ -44,54 +44,14 @@
"type": "string"
},
"FunctionAppName": {
- "defaultValue": "IllumioVenDetails",
+ "defaultValue": "illumiopbfuncapp",
"type": "String",
"metadata": {
"description": "Function app Name"
}
- },
- "PCE_FQDN": {
- "type": "String",
- "metadata": {
- "description": "FQDN of PCE"
- }
- },
- "PORT": {
- "type": "String",
- "metadata": {
- "description": "Port that PCE connects to, like 443"
- }
- },
- "ORG_ID": {
- "type": "String",
- "metadata": {
- "description": "Customer's org id"
- }
- },
- "API_KEY": {
- "type": "String",
- "metadata": {
- "description": "API key"
- }
- },
- "API_SECRET": {
- "type": "String",
- "metadata": {
- "description": "API secret"
- }
}
},
- "variables": {
- "location": "[resourceGroup().location]",
- "hostingPlanName": "[parameters('FunctionAppName')]",
- "storageAccountName": "vendetailsstorage",
- "functionAppName": "[parameters('FunctionAppName')]",
- "applicationInsightsName": "[parameters('FunctionAppName')]",
- "pceFQDN": "[parameters('PCE_FQDN')]",
- "port": "[parameters('PORT')]",
- "orgId": "[parameters('ORG_ID')]",
- "apiKey": "[parameters('API_KEY')]",
- "apiSecret": "[parameters('API_SECRET')]",
+ "variables": {
"o365ConnectionName": "[concat('o365-', parameters('PlaybookName'))]",
"sentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]"
},
@@ -122,140 +82,12 @@
}
}
},
- {
- "type": "Microsoft.Web/serverfarms",
- "apiVersion": "2020-06-01",
- "name": "[variables('hostingPlanName')]",
- "location": "[variables('location')]",
- "sku": {
- "name": "Y1",
- "tier": "Dynamic"
- },
- "properties": {
- "name": "[variables('hostingPlanName')]",
- "computeMode": "Dynamic"
- }
- },
- {
- "type": "Microsoft.Storage/storageAccounts",
- "apiVersion": "2019-06-01",
- "name": "[variables('storageAccountName')]",
- "location": "[variables('location')]",
- "sku": {
- "name": "Standard_LRS",
- "tier": "Standard"
- },
- "kind": "StorageV2",
- "properties": {
- "accessTier": "Hot",
- "minimumTlsVersion": "TLS1_2",
- "supportsHttpsTrafficOnly": "true",
- "allowBlobPublicAccess": "false",
- "allowSharedKeyAccess": "true",
- "networkAcls": {
- "bypass": "AzureServices",
- "defaultAction": "Allow",
- "ipRules": []
- }
- }
- },
- {
- "type": "Microsoft.Insights/components",
- "apiVersion": "2020-02-02",
- "name": "[variables('applicationInsightsName')]",
- "location": "[resourceGroup().location]",
- "tags": {
- "[concat('hidden-link:', resourceId('Microsoft.Web/sites', variables('applicationInsightsName')))]": "Resource"
- },
- "properties": {
- "Application_Type": "web"
- },
- "kind": "web"
- },
- {
- "type": "Microsoft.Web/sites",
- "apiVersion": "2020-06-01",
- "name": "[variables('functionAppName')]",
- "location": "[variables('location')]",
- "kind": "functionapp,linux",
- "identity": {
- "type": "SystemAssigned"
- },
- "dependsOn": [
- "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",
- "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]",
- "[resourceId('Microsoft.Insights/components', variables('applicationInsightsName'))]"
- ],
- "properties": {
- "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",
- "siteConfig": {
- "appSettings": [
- {
- "name": "AzureWebJobsStorage",
- "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';EndpointSuffix=', environment().suffixes.storage, ';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2019-06-01').keys[0].value)]"
- },
- {
- "name": "FUNCTIONS_EXTENSION_VERSION",
- "value": "~4"
- },
- {
- "name": "FUNCTIONS_WORKER_RUNTIME",
- "value": "node"
- },
- {
- "name": "WEBSITE_NODE_DEFAULT_VERSION",
- "value": "~20"
- },
- {
- "name": "APPINSIGHTS_INSTRUMENTATIONKEY",
- "value": "[reference(resourceId('microsoft.insights/components', variables('applicationInsightsName')), '2020-02-02-preview').InstrumentationKey]"
- },
- {
- "name": "WEBSITE_RUN_FROM_PACKAGE",
- "value": "https://raw.githubusercontent.com/illumio-shield/Azure-Sentinel/illumio-sentinel-playbook/Solutions/IllumioSaaS/Playbooks/Illumio-Get-Ven-Details/illumio-ven-details.zip"
- },
- {
- "name": "PCE_FQDN",
- "value": "[variables('pceFQDN')]"
- },
- {
- "name": "PORT",
- "value": "[variables('port')]"
- },
- {
- "name": "ORG_ID",
- "value": "[variables('orgId')]"
- },
- {
- "name": "API_KEY",
- "value": "[variables('apiKey')]"
- },
- {
- "name": "API_SECRET",
- "value": "[variables('apiSecret')]"
- }
- ]
- },
- "cors": {
- "allowedOrigins": [
- "https://functions.azure.com",
- "https://functions-staging.azure.com",
- "https://functions-next.azure.com"
- ],
- "supportCredentials": false
- }
- }
- },
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
- "location": "[variables('location')]",
+ "location": "[resourceGroup().location]",
"name": "[parameters('PlaybookName')]",
- "dependsOn": [
- "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",
- "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]",
- "[resourceId('Microsoft.Insights/components', variables('applicationInsightsName'))]",
- "[resourceId('Microsoft.Web/sites', variables('functionAppName'))]",
+ "dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('o365ConnectionName'))]"
],
"properties": {
@@ -335,7 +167,7 @@
{
"name": "varHTMLTable",
"type": "string",
- "value": "| Incident Number | \nCreated Time | \nTitle | \nVen Details | \nDescription | \nIncident URL | \n
|---|
| Created Time | \nTitle | \nSeverity | \nDescription | \n
|---|---|---|---|
| @{item()?['public_ip']} | \n@{item()?['hostname']} | \n@{item()?['labels']} | \n|
| @{item()?['public_ip']} | \n@{item()?['hostname']} | \n@{item()?['labels']} | \n
In the following, is more information, about the new Azure Sentinel incident:
@{variables('varHTMLTable')}
Illumio
", + "To": "user@domain.com", + "Subject": "Microsoft Sentinel: @{triggerBody()?['AlertDisplayName']}", + "Body": "In the following, is more information, about the new Azure Sentinel alert:
@{variables('varHTMLTable')}
And VEN details pertaining to entities are
@{variables('EntityTable')}
Illumio
", "Importance": "Normal" }, "path": "/v2/Mail" @@ -486,7 +318,7 @@ "actions": {} }, "runAfter": { - "Append_to_string_variable_1": [ + "Append_to_string_variable_3": [ "Succeeded" ] } @@ -508,12 +340,24 @@ ] } }, - "Append_to_string_variable_2": { + "Append_to_string_variable_3": { "type": "AppendToStringVariable", "inputs": { - "name": "varHTMLTable", + "name": "EntityTable", "value": "![](\"https://raw.githubusercontent.com/illumio-shield/Azure-Sentinel/illumio-sentinel-playbook/Solutions/IllumioSaaS/Playbooks/Illumio-Port-Blocking-Switch/images/illumio-port-blocking-switch-playbook.png\"/)
.",
+ "description": "This playbook leverages Illumio workloads API to contain and isolate a workload based on user inputs. .",
"prerequisites": [
"To use this playbook, ensure that you have valid API key and secret, org id and pce fqdn. Ensure that you deploy the template with the required context."
],
"postDeployment": [
- "After deployment open the playbook in edit mode and configure/authorize all connections and press save. "
+ "After deployment open the playbook in edit mode and configure/authorize all connections and press save. "
],
"prerequisitesDeployTemplateFile": "",
"lastUpdateTime": "2024-11-21T00:00:00.000Z",
@@ -39,192 +39,25 @@
}
},
"FunctionAppName": {
- "defaultValue": "IllumioPortBlockingApp",
+ "defaultValue": "illumiopbfuncapp",
"type": "String",
"metadata": {
"description": "Function app Name"
}
- },
- "PCE_FQDN": {
- "type": "String",
- "metadata": {
- "description": "FQDN of PCE"
- }
- },
- "PORT": {
- "type": "String",
- "metadata": {
- "description": "Port that PCE connects to, like 443"
- }
- },
- "ORG_ID": {
- "type": "String",
- "metadata": {
- "description": "Customer's org id"
- }
- },
- "API_KEY": {
- "type": "String",
- "metadata": {
- "description": "API key"
- }
- },
- "API_SECRET": {
- "type": "String",
- "metadata": {
- "description": "API secret"
- }
}
},
"variables": {
- "location": "[resourceGroup().location]",
"hostingPlanName": "[parameters('FunctionAppName')]",
- "storageAccountName": "portblockstorage",
+ "storageAccountName": "[parameters('FunctionAppName')]",
"functionAppName": "[parameters('FunctionAppName')]",
- "applicationInsightsName": "[parameters('FunctionAppName')]",
- "pceFQDN": "[parameters('PCE_FQDN')]",
- "port": "[parameters('PORT')]",
- "orgId": "[parameters('ORG_ID')]",
- "apiKey": "[parameters('API_KEY')]",
- "apiSecret": "[parameters('API_SECRET')]",
- "sentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]"
+ "applicationInsightsName": "[parameters('FunctionAppName')]"
},
"resources": [
- {
- "type": "Microsoft.Web/serverfarms",
- "apiVersion": "2020-06-01",
- "name": "[variables('hostingPlanName')]",
- "location": "[variables('location')]",
- "sku": {
- "name": "Y1",
- "tier": "Dynamic"
- },
- "properties": {
- "name": "[variables('hostingPlanName')]",
- "computeMode": "Dynamic"
- }
- },
- {
- "type": "Microsoft.Storage/storageAccounts",
- "apiVersion": "2019-06-01",
- "name": "[variables('storageAccountName')]",
- "location": "[variables('location')]",
- "sku": {
- "name": "Standard_LRS",
- "tier": "Standard"
- },
- "kind": "StorageV2",
- "properties": {
- "accessTier": "Hot",
- "minimumTlsVersion": "TLS1_2",
- "supportsHttpsTrafficOnly": "true",
- "allowBlobPublicAccess": "false",
- "allowSharedKeyAccess": "true",
- "networkAcls": {
- "bypass": "AzureServices",
- "defaultAction": "Allow",
- "ipRules": []
- }
- }
- },
- {
- "type": "Microsoft.Insights/components",
- "apiVersion": "2020-02-02",
- "name": "[variables('applicationInsightsName')]",
- "location": "[resourceGroup().location]",
- "tags": {
- "[concat('hidden-link:', resourceId('Microsoft.Web/sites', variables('applicationInsightsName')))]": "Resource"
- },
- "properties": {
- "Application_Type": "web"
- },
- "kind": "web"
- },
- {
- "type": "Microsoft.Web/sites",
- "apiVersion": "2020-06-01",
- "name": "[variables('functionAppName')]",
- "location": "[variables('location')]",
- "kind": "functionapp,linux",
- "identity": {
- "type": "SystemAssigned"
- },
- "dependsOn": [
- "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",
- "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]",
- "[resourceId('Microsoft.Insights/components', variables('applicationInsightsName'))]"
- ],
- "properties": {
- "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",
- "siteConfig": {
- "appSettings": [
- {
- "name": "AzureWebJobsStorage",
- "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';EndpointSuffix=', environment().suffixes.storage, ';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2019-06-01').keys[0].value)]"
- },
- {
- "name": "FUNCTIONS_EXTENSION_VERSION",
- "value": "~4"
- },
- {
- "name": "FUNCTIONS_WORKER_RUNTIME",
- "value": "node"
- },
- {
- "name": "WEBSITE_NODE_DEFAULT_VERSION",
- "value": "~20"
- },
- {
- "name": "APPINSIGHTS_INSTRUMENTATIONKEY",
- "value": "[reference(resourceId('microsoft.insights/components', variables('applicationInsightsName')), '2020-02-02-preview').InstrumentationKey]"
- },
- {
- "name": "WEBSITE_RUN_FROM_PACKAGE",
- "value": "https://raw.githubusercontent.com/illumio-shield/Azure-Sentinel/illumio-sentinel-playbook/Solutions/IllumioSaaS/Playbooks/Illumio-Port-Blocking-Switch/illumio-containment-switch.zip"
- },
- {
- "name": "PCE_FQDN",
- "value": "[variables('pceFQDN')]"
- },
- {
- "name": "PORT",
- "value": "[variables('port')]"
- },
- {
- "name": "ORG_ID",
- "value": "[variables('orgId')]"
- },
- {
- "name": "API_KEY",
- "value": "[variables('apiKey')]"
- },
- {
- "name": "API_SECRET",
- "value": "[variables('apiSecret')]"
- }
- ]
- },
- "cors": {
- "allowedOrigins": [
- "https://functions.azure.com",
- "https://functions-staging.azure.com",
- "https://functions-next.azure.com"
- ],
- "supportCredentials": false
- }
- }
- },
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
- "location": "[variables('location')]",
- "dependsOn": [
- "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",
- "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]",
- "[resourceId('Microsoft.Insights/components', variables('applicationInsightsName'))]",
- "[resourceId('Microsoft.Web/sites', variables('functionAppName'))]"
- ],
+ "location": "[resourceGroup().location]",
"properties": {
"state": "Enabled",
"definition": {
@@ -356,13 +189,7 @@
},
"parameters": {
"$connections": {
- "value": {
- "azuresentinel": {
- "connectionId": "[resourceId('Microsoft.Web/connections', variables('sentinelConnectionName'))]",
- "connectionName": "[variables('sentinelConnectionName')]",
- "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
- }
- }
+ "value": {}
}
}
}
diff --git a/Solutions/IllumioSaaS/Playbooks/Illumio-Quarantine-Workload/Images/illumio-quarantine-workload.png b/Solutions/IllumioSaaS/Playbooks/Illumio-Quarantine-Workload/Images/illumio-quarantine-workload.png
new file mode 100644
index 00000000000..b1f0a91c3b2
Binary files /dev/null and b/Solutions/IllumioSaaS/Playbooks/Illumio-Quarantine-Workload/Images/illumio-quarantine-workload.png differ
diff --git a/Solutions/IllumioSaaS/Playbooks/Illumio-Quarantine-Workload/README.md b/Solutions/IllumioSaaS/Playbooks/Illumio-Quarantine-Workload/README.md
new file mode 100644
index 00000000000..99065dc816f
--- /dev/null
+++ b/Solutions/IllumioSaaS/Playbooks/Illumio-Quarantine-Workload/README.md
@@ -0,0 +1,20 @@
+# Microsoft Sentinel Playbooks for Illumio Integration
+
+Playbooks are collections of procedures that can be run from Microsoft Sentinel.
+
+---
+
+## Quarantine Workload Playbook
+
+1. The logic app can be invoked as a http request.
+2. The payload should contain workload hostname/s and label/s.
+3. Function app is called with the above payload which makes a call to the PCE and applies labels to the workloads mentioned in payload.
+
+# To deploy, follow the below steps
+
+Deploy the function app first
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fillumio-shield%2FAzure-Sentinel%2Frefs%2Fheads%2Fillumio-sentinel-playbooks-v2%2FSolutions%2FIllumioSaaS%2FPlaybooks%2FCustomConnector%2FIllumioSaaS_FunctionAppConnector%2Fazuredeploy.json)
+
+
+Deploy the logic app next:
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fillumio-shield%2FAzure-Sentinel%2Frefs%2Fheads%2Fillumio-sentinel-playbooks-v2%2FSolutions%2FIllumioSaaS%2FPlaybooks%2FIllumio-Quarantine-Workload%2Fazuredeploy.json)
\ No newline at end of file
diff --git a/Solutions/IllumioSaaS/Playbooks/Illumio-Quarantine-Workload/azuredeploy.json b/Solutions/IllumioSaaS/Playbooks/Illumio-Quarantine-Workload/azuredeploy.json
new file mode 100644
index 00000000000..291c961400c
--- /dev/null
+++ b/Solutions/IllumioSaaS/Playbooks/Illumio-Quarantine-Workload/azuredeploy.json
@@ -0,0 +1,117 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "title": "Illumio Workload Quarantine Playbook",
+ "description": "This playbook leverages Illumio workloads API to quarantine a workload based on user inputs. .",
+ "prerequisites": [
+ "To use this playbook, ensure that you have valid API key and secret, org id and pce fqdn. Ensure that you deploy the template with the required context."
+ ],
+ "postDeployment": [
+ "After deployment open the playbook in edit mode and configure/authorize all connections and press save. "
+ ],
+ "prerequisitesDeployTemplateFile": "",
+ "lastUpdateTime": "2024-12-10T00:00:00.000Z",
+ "entities": [
+
+ ],
+ "tags": [ "Remediation" ],
+ "support": {
+ "tier": "Partner"
+ },
+ "author": {
+ "name": "Illumio"
+ },
+ "releaseNotes": [
+ {
+ "version": "1.0",
+ "title": "Illumio Quarantine Workload",
+ "notes": [ "Initial version" ]
+ }
+ ]
+ },
+ "parameters": {
+ "PlaybookName": {
+ "defaultValue": "Illumio-Quarantine-Workload",
+ "type": "String",
+ "metadata": {
+ "description": "PlayBook Name"
+ }
+ },
+ "FunctionAppName": {
+ "defaultValue": "illumiopbfuncapp",
+ "type": "String",
+ "metadata": {
+ "description": "Function app Name"
+ }
+ }
+ },
+ "variables": {
+ "functionAppName": "[parameters('FunctionAppName')]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Logic/workflows",
+ "apiVersion": "2017-07-01",
+ "name": "[parameters('PlaybookName')]",
+ "location": "[resourceGroup().location]",
+ "properties": {
+ "state": "Enabled",
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "$connections": {
+ "defaultValue": {},
+ "type": "Object"
+ }
+ },
+ "triggers": {
+ "When_a_HTTP_request_is_received": {
+ "type": "Request",
+ "kind": "Http",
+ "inputs": {
+ "method": "POST",
+ "schema": {
+ "type": "object",
+ "properties": {
+ "workloads": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
+ },
+ "labels": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ "actions": {
+ "QuarantineWorkloadFuncApp-quarantineWorkloadHTTPTrigger": {
+ "runAfter": {},
+ "type": "Function",
+ "inputs": {
+ "body": "@triggerBody()",
+ "function": {
+ "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/sites/',parameters('Functionappname'), '/functions/quarantineWorkloadHTTPTrigger')]"
+ }
+ }
+ }
+ },
+ "outputs": {}
+ },
+ "parameters": {
+ "$connections": {
+ "value": {}
+ }
+ }
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/Solutions/IllumioSaaS/data/Solution_IllumioSaaS.json b/Solutions/IllumioSaaS/data/Solution_IllumioSaaS.json
index 0272894a8a0..c1c54406a87 100644
--- a/Solutions/IllumioSaaS/data/Solution_IllumioSaaS.json
+++ b/Solutions/IllumioSaaS/data/Solution_IllumioSaaS.json
@@ -20,8 +20,10 @@
"Analytic Rules/Illumio_VEN_Suspend_Query.yaml"
],
"Playbooks": [
+ "Playbooks/CustomConnector/IllumioSaaS_FunctionAppConnector/azuredeploy.json",
+ "Playbooks/Illumio-Get-Ven-Details/azuredeploy.json",
"Playbooks/Illumio-Port-Blocking-Switch/azuredeploy.json",
- "Playbooks/Illumio-Get-Ven-Details/azuredeploy.json"
+ "Playbooks/Illumio-Quarantine-Workload/azuredeploy.json"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\IllumioSaaS",
"Version": "3.3.2",
diff --git a/Tools/Create-Azure-Sentinel-Solution/common/commonFunctions.ps1 b/Tools/Create-Azure-Sentinel-Solution/common/commonFunctions.ps1
index 57f35fe0276..a2cdcf8dc50 100644
--- a/Tools/Create-Azure-Sentinel-Solution/common/commonFunctions.ps1
+++ b/Tools/Create-Azure-Sentinel-Solution/common/commonFunctions.ps1
@@ -1043,8 +1043,8 @@ function PrepareSolutionMetadata($solutionMetadataRawContent, $contentResourceDe
contentId = "[variables('_$fileName')]";
version = "[variables('playbookVersion$global:playbookCounter')]";
};
-
- if($fileName.ToLower() -match "FunctionApp")
+
+ if($IsFunctionAppResource)
{
$functionAppsPlaybookId = $playbookData.parameters.FunctionAppName.defaultValue